[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

NOCC: cross-site-scripting bug

I have just been forwarded this issue from bugtrack, it's a package I

I got in touch with upstream, and they will keep me updated on this.
I will upload as soon as there's a fix.

Is there anything else (Debian-security related) I should do appart form
trying to help upstream fix this?

Hash: SHA1

ppp-design found the following cross-site-scripting bug in NOCC:

- -------
Product: NOCC
Affected Version: 0.9.5 and maybe all versions before
Immune Version: none, authors are working on it
OS affected: all OS with php and mysql
Vendor-URL: http://nocc.sourceforge.net/
Vendor-Status: informed, working on a new version
Security-Risk: high
Remote-Exploit: Yes

- ------------
NOCC is a webmail client written in PHP. It provides webmail access to
IMAP and POP3 accounts. Unfortunatly the software displays a message
without checking for any malicous code.

More details
- ------------
A mail (even a text mail) is rendered as html. So a possible blackhat
can include any malicous code in an email and get full access to any
mailbox easily.

- ----------------
Just write an email to any NOCC user with the following text inside:


When the user is reading his mail a popup will come up showing his
session id. Of course there are many other possibilities to make use of
this bug.

- -------------
Users could disable Javascript but because there are still other
possiblilities to enter malicious code, this will only stop this
proof-of-concept from working.

- ---
None at the moment, but the authors are allready working on a new version.

- -------------
Because the software is widly spreaded according to their website, and
any blackhat can easily get full access to any emailaccount that is
managed using NOCC, we are rating the securtiy risk to high.

Vendor status
- -------------
We have informed the core developers, who reacted fastly and in a
recommedable way. They entered the bug to their bugzilla system. So
there is no need for us to wait with this publication, allthough there
is no fix ready until now.

- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.

This advisory can be found online at:

- --
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org


 .''`.            Todo gira, todo vuelve, todo es mentira...
: :' :        
`. `'         Proudly running Debian GNU/Linux Sid (Kernel 2.4.18)  
  `-        www.amayita.com  www.malapecora.com  www.chicasduras.com  

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: